Hey guys, I have a crucial decision I have to make about a platform I’m building, and I really need your help to make this decision in regards to security. Here’s what I’m trying to accomplish:
Platform: Highly Available Wordpress hosting using Galera, GlusterFS & LXD (don’t worry about the SQL part) - One container per customer on a VM (or ded server) - (preferably) One 3 node GlusterFS Cluster for the Wordpress files of all customers’ containers - GlusterFS volume divided into subdirectories (one per customer), with ACLs to control permissions (see *) - Gluster Volume subdirectories Bind Mounted into their respective containers (i.e. /data/gluster/user1 -> container:/data/gluster) - LXC User/Group mappings to make the ACLs work My concerns: - (*) Although the containers are isolated (all but the shared kernel), and that in itself is probably secure enough to feel ok about it, introducing a shared Gluster volume into the mix and depending on ACLs makes me a bit nervous. I’d like your opinions on what the norm is in the world (the PaaSs, etc) and if you guys think this is a terrible idea. If you think this is not a good way of handling my needs, PLEASE help me find a better solution. My hangups: - I know PaaSs have found incredibly efficient ways to provide containerized apps with high availability, and I tend to highly doubt they’re throwing up 3+ GlusterFS VMs for every single app they deploy. This to me seems like an impossibly cost-ineffective approach. Correct me if I’m wrong. That being said, I’m not 100% sure how they’re doing it. Odd thoughts & alternative solutions that have crossed my mind: - To avoid using a shared single Gluster Volume and ACLs altogether, while also avoiding too much infrastructure cost, I’ve thought of possible putting up a 3 VM Gluster cluster, each with matching LXD Containers on them with Gluster server daemons running in those containers. I could use those containers & networking to simulate having multiple 3 node Gluster Clusters, each being dedicated to a respective containerized app on the App Server. This to me seems like it would be an unnecessarily complex and annoying to maintain solution, so please help me here. I hugely appreciate anyones help and this is a huge passion project of mine and I’ve dedicated an absurd number of hours reading to try and figure this out. Best Regards, Zach Lanich Business Owner, Entrepreneur, Creative Owner/CTO weCreate LLC www.WeCreate.com
_______________________________________________ lxc-users mailing list lxc-users@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-users